libdigidocpp
|
#include <OCSP.h>
Public Types | |
enum | CertStatus { GOOD, REVOKED, UNKNOWN } |
Public Member Functions | |
OCSP () | |
~OCSP () | |
void | setUrl (const std::string &url) throw (IOException) |
void | setOCSPCerts (STACK_OF(X509)*ocspCerts) |
void | setCertStore (X509_STORE *certStore) |
void | setSignCert (X509 *signCert, EVP_PKEY *signKey) |
void | setSkew (long skew) |
void | setMaxAge (long maxAge) |
CertStatus | checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce) throw (IOException, OCSPException) |
CertStatus | checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce, std::vector< unsigned char > &ocspResponseDER, tm &producedAt) throw (IOException, OCSPException) |
void | verifyResponse (const std::vector< unsigned char > &ocspResponseDER) const throw (IOException) |
std::vector< unsigned char > | getNonce (const std::vector< unsigned char > &ocspResponseDER) const |
tm | getProducedAt (const std::vector< unsigned char > &ocspResponseDER) const |
Private Member Functions | |
CertStatus | checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce, OCSP_REQUEST **req, OCSP_RESPONSE **resp) throw (IOException, OCSPException) |
void | connect () throw (IOException) |
void | connectNoSSL () throw (IOException) |
void | connectSSL () throw (IOException) |
OCSP_REQUEST * | createRequest (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce) throw (IOException) |
OCSP_RESPONSE * | sendRequest (OCSP_REQUEST *req) throw (IOException) |
CertStatus | validateResponse (OCSP_REQUEST *req, OCSP_RESPONSE *resp, X509 *cert, X509 *issuer) throw (OCSPException) |
tm | convert (ASN1_GENERALIZEDTIME *time) const throw (IOException) |
STACK_OF (X509)*ocspCerts |
Private Attributes | |
std::string | url |
std::string | host |
std::string | connhost |
std::string | connport |
bool | ssl |
long | skew |
long | maxAge |
BIO * | connection |
SSL_CTX * | ctx |
X509 * | ocspCert |
X509_STORE * | certStore |
X509 * | signCert |
EVP_PKEY * | signKey |
Implements OCSP request to the OCSP server. This class can be used to check whether the certificate is valid or not.
If certStore
and/or ocspCerts
is set, the OCSP response certificate is checked, whether it comes from the correct OCSP server or not.
If signCert
and signKey
is set the OCSP request is signed with the certificate provided.
digidoc::OCSP::OCSP | ( | ) |
digidoc::OCSP::CertStatus digidoc::OCSP::checkCert | ( | X509 * | cert, |
X509 * | issuer, | ||
const std::vector< unsigned char > & | nonce | ||
) | throw (IOException, OCSPException) |
Checks the validity of the certificate cert
in OCSP server. If the OCSP server certificate should be validated set certStore
and/or ocspCerts
with corresponding OCSP server certificates.
cert | certificate, which validity is checked in OCSP server. |
issuer | certificate issuer certificate chain. |
nonce | NONCE field value in OCSP request. |
IOException | throws exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL . |
OCSPException | throws exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc). |
Definition at line 190 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::notarize(), testOCSP(), and digidoc::SignatureBES::validateOnline().
digidoc::OCSP::CertStatus digidoc::OCSP::checkCert | ( | X509 * | cert, |
X509 * | issuer, | ||
const std::vector< unsigned char > & | nonce, | ||
std::vector< unsigned char > & | ocspResponseDER, | ||
tm & | producedAt | ||
) | throw (IOException, OCSPException) |
Checks the validity of the certificate cert
in OCSP server. If the OCSP server certificate should be validated set certStore
and/or ocspCerts
with corresponding OCSP server certificates. Converts the OCSP response to DER encoding and returns it in output parameter ocspResponseDER
cert | certificate, which validity is checked in OCSP server. |
issuer | certificate issuer certificate chain. |
nonce | NONCE field value in OCSP request. |
ocspResponseDER | output parameter, sets the OCSP response to here in DER format. |
producedAt | response production time. |
IOException | throws exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL . |
OCSPException | throws exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc). |
Definition at line 220 of file OCSP.cpp.
References THROW_IOEXCEPTION.
|
private |
Checks the validity of the certificate cert
in OCSP server. If the OCSP server certificate should be validated set certStore
and/or ocspCerts
with corresponding OCSP server certificates.
cert | certificate, which validity is checked in OCSP server. |
issuer | certificate issuer certificate chain. |
nonce | NONCE field value in OCSP request. |
req | output parameter, sets OCSP request to here. |
resp | output parameter, sets OCSP response to here. |
IOException | throws exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL . |
OCSPException | throws exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc). |
Definition at line 271 of file OCSP.cpp.
References digidoc::Conf::getInstance(), digidoc::Conf::getPKCS12Cert(), digidoc::Conf::getPKCS12Disable(), digidoc::Conf::getPKCS12Pass(), and THROW_IOEXCEPTION.
|
private |
Creates connection to OCSP server based on the url
provided.
IOException | throws exception if connection creation failed. |
Definition at line 366 of file OCSP.cpp.
References THROW_IOEXCEPTION.
|
private |
Creates plain text (not crypted) connection with OCSP server.
IOException | throws exception if the connection creation failed. |
|
private |
Creates ssl connection with OCSP server.
IOException | throws exception if the connection creation failed. |
Definition at line 407 of file OCSP.cpp.
References THROW_IOEXCEPTION.
|
private |
Extract date time value from ASN1_GENERALIZEDTIME struct.
asn1Time | ASN.1 generalized time struct. |
IOException | exception is throws if the time is in incorrect format. |
Definition at line 737 of file OCSP.cpp.
References i, and THROW_IOEXCEPTION.
|
private |
Creates OCSP request to check the certificate cert
validity.
cert | certificate which validity will be checked. |
issuer | issuer of the certificate. |
nonce | NONCE field value in OCSP request. |
IOException | exception is thrown if the request creation failed. |
Definition at line 428 of file OCSP.cpp.
References THROW_IOEXCEPTION.
std::vector< unsigned char > digidoc::OCSP::getNonce | ( | const std::vector< unsigned char > & | ocspResponseDER | ) | const |
Extract nonce field from ocspResponderDER
ocspResponseDER |
Definition at line 685 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::getNonce(), digidoc::SignatureDDOC::getNonce(), and digidoc::SignatureTM::validateOffline().
tm digidoc::OCSP::getProducedAt | ( | const std::vector< unsigned char > & | ocspResponseDER | ) | const |
Extract produced at field from ocspResponderDER
ocspResponseDER |
Definition at line 722 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::getProducedAt().
|
private |
Sends OCSP request to the server and returns the response got from the server.
IOException | throws exception if the server failed to accept request or returned incorrectly formated OCSP response. |
Definition at line 476 of file OCSP.cpp.
References digidoc::appInfo(), digidoc::Conf::getInstance(), digidoc::Conf::getProxyPass(), digidoc::Conf::getProxyUser(), THROW_IOEXCEPTION, and VER_STR.
void digidoc::OCSP::setCertStore | ( | X509_STORE * | certStore | ) |
Sets certificate store, which is used to validate OCSP responder and used in HTTPS connection. Default value is NULL, which means certificate store is not used to validate in OCSP responder. In case of HTTPS connection the certification store is mandatory and can not be set to NULL.
certStore | certificate store used to validate OCSP responder and in HTTPS connection. |
Definition at line 137 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::validateOffline().
void digidoc::OCSP::setMaxAge | ( | long | maxAge | ) |
maxAge | how old can the precomputed OCSP responses be in seconds. Default is 1 minute. The value is validated with OCSP response field producedAt. |
Definition at line 168 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::notarize(), and testOCSP().
void digidoc::OCSP::setOCSPCerts | ( | STACK_OF(X509)* | ocspCerts | ) |
Sets certificate stack, which is used to validate OCSP responder. Default value is NULL, which means certification stack is not used to validate OCSP responder.
ocspCerts | certificate stack used to validate OCSP responder. |
Definition at line 123 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::notarize(), digidoc::SignatureTM::validateOffline(), and digidoc::SignatureBES::validateOnline().
void digidoc::OCSP::setSignCert | ( | X509 * | signCert, |
EVP_PKEY * | signKey | ||
) |
void digidoc::OCSP::setSkew | ( | long | skew | ) |
skew | maximum time difference between OCSP server and host computer in seconds. Default is 5 minutes. |
Definition at line 159 of file OCSP.cpp.
Referenced by digidoc::SignatureTM::notarize(), and digidoc::SignatureBES::validateOnline().
void digidoc::OCSP::setUrl | ( | const std::string & | _url | ) | throw (IOException) |
Set OCSP connection URL.
url | full OCSP URL (e.g. http://www.openxades.org/cgi-bin/ocsp.cgi). |
IOException | exception is thrown if provided OCSP URL is in incorrect format. |
Definition at line 88 of file OCSP.cpp.
References digidoc::Conf::getInstance(), digidoc::Conf::getProxyHost(), digidoc::Conf::getProxyPort(), and THROW_IOEXCEPTION.
Referenced by digidoc::SignatureTM::notarize(), and digidoc::SignatureBES::validateOnline().
|
private |
|
private |
Validates OCSP response. Checks status code and other fields to match the sent OCSP request. Parses and returns also certificate status code.
req | OCSP request that was sent to the OCSP server. |
resp | OCSP response that was received from the OCSP server. |
cert | |
issuer |
OCSPException | throws exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc). Check also that the response corresponds to the request sent. |
Definition at line 546 of file OCSP.cpp.
References e, digidoc::Exception::OCSPRequestUnauthorized, digidoc::Exception::OCSPTimeSlot, digidoc::Exception::setCode(), THROW_OCSPEXCEPTION, and digidoc::OCSPException::toResponseStatusMessage().
void digidoc::OCSP::verifyResponse | ( | const std::vector< unsigned char > & | ocspResponseDER | ) | const throw (IOException) |
Check that response was signed with trusted OCSP certificate
ocspResponseDER | DER encoded OCSP response bytes |
Definition at line 628 of file OCSP.cpp.
References ERR, i, and THROW_IOEXCEPTION.
Referenced by digidoc::SignatureTM::validateOffline().